Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Melania allows PHP Local File Inclusion.This issue affects Melania: from n/a through 2.5.0.
Published: 2026-03-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion (potential unintended code execution)
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an Improper Control of Filename for Include/Require Statement in PHP, resulting in a Local File Inclusion flaw in the Melania theme for WordPress. An attacker who can influence the filename used in the include/require statement may be able to read or include sensitive local files, which could lead to disclosure of confidential data or execution of arbitrary code on the compromised site. The weakness is classified as CWE-98.

Affected Systems

This issue affects ThemeREX Melania themes for WordPress from the initial release through version 2.5.0. The vulnerability is not present in versions released after 2.5.0.

Risk and Exploitability

The CVSS v3 score of 8.1 indicates a high severity level. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local: an attacker with access to the website can manipulate the include path to access local files. Exploitation would require the ability to direct the theme to include a malicious or sensitive file, but no prior setup or elevated privileges are explicitly required beyond normal web access.

Generated by OpenCVE AI on March 20, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Melania theme to version 2.5.1 or later

Generated by OpenCVE AI on March 20, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex melania
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex melania
Wordpress
Wordpress wordpress

Fri, 20 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Melania allows PHP Local File Inclusion.This issue affects Melania: from n/a through 2.5.0.
Title WordPress Melania theme <= 2.5.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Themerex Melania
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-20T14:02:03.097Z

Reserved: 2026-01-07T12:21:02.764Z

Link: CVE-2026-22324

cve-icon Vulnrichment

Updated: 2026-03-20T14:01:42.695Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-20T10:16:18.413

Modified: 2026-03-20T13:37:50.737

Link: CVE-2026-22324

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T16:30:37Z

Weaknesses